McAfee: Hacker ‘Project Blitzkrieg’ Poses Real Threat

A call for botnet operators to collaborate on attacking 30 US financial institutions appears to be a ‘credible threat’ after all, according to security firm McAfee

Some researcher thought it was a law-enforcement sting. Others theorised that it was an elaborate joke. But a call for botnet operators to collaborate on attacking the customers of 30 US financial institutions appears to be a “credible threat”, said security firm McAfee in a report issued on 13 December.

The operation, known as Project Blitzkrieg, was announced in a semi-private underground forum in September, and described by security firm RSA in a blog post in October. The announcement is the “making of the most substantial organised banking-Trojan operation seen to date”, the company stated in its 4 October blog post.

Command-and-control server located

In its own research, McAfee, a subsidiary of Intel, tracked down the command-and-control server used by the hacker vorVzakone, who made the forum announcement. The posting included screenshots that gave McAfee enough evidence to track down the bot software used by the hacker and what appears to be a test of the infrastructure for the attack.

“Although Project Blitzkrieg hasn’t yet infected thousands of victims and we cannot directly confirm any cases of fraud, the attackers have managed to run an operation undetected for several months while infecting a few hundred,” the McAfee report stated.

The group used a Trojan known as Gozi Prinimalka, a variant of the Gozi Trojan created in 2008, that has always been used to commit financial fraud. The program was not created by vorVzakone, but an early group that appears to no longer be actively developing the malicious software, said Ryan Sherstobitoff, a researcher with McAfee Labs.

While the Trojan is not new, the calls for collaboration and the improvement to the command-and-control (C&C) server are new, he said.

“Really, what is new is the collaboration and the innovative back-end (C&C server), where he supplies all the information as to the drop accounts, how to transfer money properly, and many other details,” Sherstobitoff said. “What people thought was a joke has ended up being credible.”

Real threat

McAfee used two identifiers leaked by the images posted online to match the campaign pictured in the images to a specific binary caught by the company’s automated analysis systems. The existence of the malware, which was caught by McAfee in April, suggests that at least some of the claims are real.

The Gozi Prinimalka variant discovered in April by McAfee was first seen in the wild on 29 March and may have infected hundreds of banking customers, according to the report. The latest variant, released in October, is controlled using a C&C server in Romania and has targeted financial institutions exclusively in the United States.

“On 9 September, in the post, he said that he would release the trojan to individuals a couple weeks after they passed an interview,” said Sherstobitoff. “Well, we saw a new Gozi Primimalka campaign spring up in October and end on 30 November with more than 80 victims.”

McAfee expects future attacks to also hit only a modest number of victims to stay under law enforcement’s radar and make it harder to defend against.

“A limited number of infections reduces the malware’s footprint and makes it hard for network defences to detect its activities,” the report stated.